Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution - ASEC By ATCP Published: 2023-06-07 · Archived: 2026-04-05 15:58:06 UTC As covered before here on the ASEC Blog, the Lazarus threat group exploits the vulnerabilities of INISAFE CrossWeb EX and MagicLine4NX in their attacks.  New Malware of Lazarus Threat Actor Group Exploiting INITECH Process (Apr 26, 2022) A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (Oct 31, 2022) While monitoring the activities of the Lazarus threat group, AhnLab Security Emergency response Center (ASEC) recently discovered that the zero-day vulnerability of VestCert and TCO!Stream are also being exploited in addition to the previously targeted INISAFE CrossWeb EX and MagicLine4NX. VestCert is a web security software developed by Yettiesoft using a non-ActiveX approach, while TCO!Stream is a company asset management program made by MLsoft. Both solutions are widely used by Korean companies. Since Lazarus actively seeks out and exploits new vulnerabilities in software used in Korea, it is highly recommended that businesses utilizing these software solutions promptly update to the latest versions. Malware Download via VestCert Vulnerability The threat group utilizes the watering hole method when carrying out their initial breach of companies. When users with vulnerable versions of VestCert installed on their Windows systems visit a specific https://asec.ahnlab.com/en/54195/ Page 1 of 5 website that has been injected with a malicious script, then, regardless of their web browser type, PowerShell is executed due to a third-party library execution vulnerability in the VestCert software. As shown below, PowerShell then connects to a C2 server to download and execute malware.  Figure. PowerShell command to download malware (WinSync.dll) that has been executed due to the VestCert vulnerability Internal Propagation of Malware via TCO!Stream Vulnerability The threat group uses the TCO!Stream vulnerability in order to propagate the malware to internal systems from the initially affected system. TCO!Stream consists of a server and client; the server offers features such as software distribution to clients and remote control. In order to communicate with the server, the client is always listening to the TCP 3511 port. The threat group, utilizing their own developed malware, generates command packets and sends them to the client. These command packets instruct the client to download and execute a specific file from the server. Upon receiving this command, the client accesses the TCO!Stream server and proceeds to download and execute the malicious file that the threat group has prepared in advance. The malware created by the threat group is executed with the following command-line structure.  The meaning of each parameter in the command line is as follows.  : Name of the malicious file (MicrosoftVSA.bin, MicroForic.tlb, matrox86.bic, matrox86.tcm, matrox86.tcm, wincert.bin, mseng.bin) : Device ID of the TCO server : System IP of the target client : Port of the target client system (3511) : Job ID used in the server https://asec.ahnlab.com/en/54195/ Page 2 of 5 Figure. Parts of the decrypted command data (for analysis) Location of the distributed file: C:\Packages\\\\ Run command: loadconf.exe –rt5y65i8##7poi88++5t4t54t54t5n The above command downloads loadconf.exe, a backdoor downloader, in the path C:\Temp\ and executes it with an argument. Vulnerability Information ASEC has analyzed the VestCert and TCO!Stream vulnerabilities that were exploited in this case and reported them to Korea Internet & Security Agency (KISA). The information was also given to the respective companies and the current vulnerabilities in questions have been patched. On March 13, a security advisory post titled “Update Recommendation for Finance Security Solutions” was posted on KISA’s vulnerability information portal (https://knvd.krcert.or.kr/detailSecNo.do?IDX=5881). However, the software in question do not update automatically, so there are still many places using vulnerable versions of the software. It is advised to manually uninstall the software before reinstalling. Information regarding the VestCert and TCO!Stream vulnerabilities have been covered before on the ASEC Blog, and the following shows the vulnerable versions and the resolved versions for each software. VestCert  Vulnerability information: Warning for Certification Solution (VestCert) Vulnerability and Update Recommendation (Mar 23, 2023) Affected versions: 2.3.6 ~ 2.5.29 Resolved version: 2.5.30 TCO!Stream  https://asec.ahnlab.com/en/54195/ Page 3 of 5 Vulnerability information: Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation (Mar 23, 2023) Affected versions: 8.0.22.1115 and below Resolved version: 8.0.23.215 AhnLab detects and blocks the malware, malicious behavior, and URL using the following aliases. [File Detection]  Trojan/Win.Lazardoor (2023.01.11.03) Data/BIN.EncodedPE (2023.01.12.00) Data/BIN.EncodedPE (2023.01.12.00) Trojan/Win.Lazardoor (2022.01.05.01) Trojan/Win.Lazardoor (2023.01.11.03) Data/BIN.EncodedPE (2023.01.12.00) Data/BIN.EncodedPE (2023.01.12.00) Trojan/Win.Agent (2023.01.12.03) Trojan/Win.LazarLoader(2023.01.21.00) [Behavior Detection]  InitialAccess/EDR.Lazarus.M10963 Execution/EDR.Event.M10769 Injection/EDR.Lazarus.M10965 Fileless/EDR.Event.M11080 MD5 064d696a93a3790bd3a1b8b76baaeef3 55f0225d58585d60d486a3cc7eb93de5 67d306c163b38a06e98da5711e14c5a7 747177aad5aef020b82c6aeabe5b174f 8adeeb291b48c97db1816777432d97fd Additional IOCs are available on AhnLab TIP. SHA1 3ca6abf845f3528edf58418e5e42a9c1788efe7a ec5d5941522d947abd6c9e82e615b46628a2155f Additional IOCs are available on AhnLab TIP. URL https://asec.ahnlab.com/en/54195/ Page 4 of 5 http[:]//ksmarathon[.]com/admin/excel2[.]asp http[:]//www[.]sinae[.]or[.]kr/sub01/index[.]asp https[:]//swt-keystonevalve[.]com/data/content/cache/cache[.]php?mode=read https[:]//www[.]bcdm[.]or[.]kr/board/type3_D/edit[.]asp https[:]//www[.]coupontreezero[.]com/include/bottom[.]asp Additional IOCs are available on AhnLab TIP. Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below. Source: https://asec.ahnlab.com/en/54195/ https://asec.ahnlab.com/en/54195/ Page 5 of 5